VLAN ACL - To separate one vlan from another

Answered Question
Jan 29th, 2008

I have configured intervlan in Multilayer switches. But i need to separate one vlan, vlan 100 from other vlan..but i just allow only subnet on vlan 100 can access the vlan 100..all other subnet in other vlan cannot access it. How the configuration works?

Correct Answer by Collin Clark about 9 years 3 weeks ago

Create the layer 3 interface for VLAN 100 then. Let's assume that the IP subnet for vlan 100 is 192.168.100.0 /24, VLAN 2 is 192.168.2.0 /24, etc.


I would create an ACL and apply it to the layer 3 VLAN interface.


access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 deny ip any any log

Apply in


access-list 102 permit ip 192.168.100.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 102 deny ip any any log

Apply out


This is just one way to do it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
noxkrugger Thu, 01/31/2008 - 12:34

HI


Thanks for the info..But if I dont config the IP adrress at int vlan 100, how come the client of the vlan 100 will choose their gateway to coming out..supposely to ave ip on the int vlan 100.. i need to block the incoming traffic and outgoing traffic from vlan 2,3,4,5 to vlan 100 and allow only vlan 11 to communicate with vlan 100.


how to achieve that using vlan access-map or VACL?

Correct Answer
Collin Clark Thu, 01/31/2008 - 12:49

Create the layer 3 interface for VLAN 100 then. Let's assume that the IP subnet for vlan 100 is 192.168.100.0 /24, VLAN 2 is 192.168.2.0 /24, etc.


I would create an ACL and apply it to the layer 3 VLAN interface.


access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 deny ip any any log

Apply in


access-list 102 permit ip 192.168.100.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 102 deny ip any any log

Apply out


This is just one way to do it.

Actions

This Discussion